US20140283057A1 - Tcp validation via systematic transmission regulation and regeneration - Google Patents

Tcp validation via systematic transmission regulation and regeneration Download PDF

Info

Publication number
US20140283057A1
US20140283057A1 US13/838,274 US201313838274A US2014283057A1 US 20140283057 A1 US20140283057 A1 US 20140283057A1 US 201313838274 A US201313838274 A US 201313838274A US 2014283057 A1 US2014283057 A1 US 2014283057A1
Authority
US
United States
Prior art keywords
tcp packet
intercepted
session state
packet
intercepted tcp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US13/838,274
Other versions
US8978138B2 (en
Inventor
Mehdi Mahvi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to US13/838,274 priority Critical patent/US8978138B2/en
Publication of US20140283057A1 publication Critical patent/US20140283057A1/en
Application granted granted Critical
Publication of US8978138B2 publication Critical patent/US8978138B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/32Flooding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0254Stateful filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]

Definitions

  • the invention relates generally to data network communications and more particularly to a technique for validating transmission control protocol (TCP) communication between a client requesting resources and a server providing requested resources to protect the specified server from a distributed denial of service (DDoS) attack.
  • TCP transmission control protocol
  • DDoS distributed denial of service
  • an initial packet with a TCP bit flag SYN is generated from a client to a server.
  • a plurality of intermediary routing and switching devices assure the delivery of the data packet from the client to the server, and vice versa.
  • the server generates a response packet with the TCP bit flags SYN and ACK set.
  • the client responds with a TCP ACK packet, establishing a completed TCP session.
  • the server Upon generation of the initial TCP SYN packet from the client, the server reserves and allocates a predetermined quantity of system resources, including processor, ram, and/or disk for the facilitation of this connection.
  • the server maintains these resources for a predetermined period of time often as long as several minutes.
  • an attacker can take advantage of this situation by generating a large quantity of SYN packets to the server, exhausting all system resources. The server will then become unresponsive to legitimate client requests, thus denying service to legitimate clients. This is one embodiment of a “denial of service” attack.
  • prior art systems “detect” denial of service conditions, but fail to actually mitigate this undesirable situation.
  • Rooney Rooney et al.
  • the packet metric parameter which might comprise the volume of packets received is analyzed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located.
  • the expected behavior can be employed to identify traffic distortions revealing a DDoS attack.
  • a drawback of Rooney is that it is unable to prevent a “syn flood” attack as no single packet will meet the thresholds set.
  • TCP transmission control protocol
  • an initiating connection is performed by a TCP packet with the SYN bit flag set.
  • the client retransmits further SYN packets.
  • the client depending on the operating system configuration, can transmit several SYN packets.
  • the client is validated with a high degree of certainty to be legitimate.
  • the present invention will know, with a high degree of certainty, that the requesting client is illegitimate and can be blocked.
  • the present invention solves the problem of a denial of service condition by validating the legitimate authenticity of connections, and is extremely simple to implement in a software system on an apparatus in a network environment.
  • the apparatus can achieve high performance with relative ease of implementation.
  • the software system can also be replicated into a global network utilizing a state session sharing mechanism.
  • a method for validating transmission control protocol (TCP) packets during a communications session comprises the steps of: intercepting a TCP packet; checking a hash table to determine if a hash entry exists for the intercepted TCP packet, if no hash entry exists in the hash table for the intercepted TCP packet then generating a hash entry for the intercepted TCP packet by hashing a source IP address, a source port, a destination IP address, and a destination port associated with the intercepted TCP packet, and storing a session state associated with the intercepted TCP packet in the hash table as NONE, if a hash entry exists in the hash table for the intercepted TCP packet then retrieving the session state associated with the intercepted TCP packet; determining if the session state is designated as blacklisted, if the session state is designated as blacklisted then discarding the intercepted TCP packet, if the session state is not designated as blacklisted then identifying a TCP packet flag associated with
  • An advantage of the present invention is its simplicity of implementation. As the present invention does not necessitate the interception of egress traffic, it can be implemented with relative ease. Network asymmetric is no longer a problem because of this.
  • Another advantage is that it provides a very high level of security against invalid client connections. In testing, a significant portion of attacks utilize methods, procedures, patterns, and fingerprints that are thwarted by the present invention.
  • Another advantage of the present invention is the versatility of the hash function. Utilizing different hash functions, different advantages based on the advantages the different hash functions provide. Some hash functions provide advantages for disparate sets, while others provide advantages for similar sets. The purpose of the hash function can dictate the application of the present invention.
  • Another advantage is that the memory footprint required by the present invention is fairly low as not much information is stored on each state session.
  • the total state session information saved is 32 bits for source address, 32 bits for destination address, 16 bits for source port address, 16 bits for destination port address, 8 bits for a state identifier, and 8 bits for a SYN counter.
  • FIG. 1 illustrates a communication system according to an embodiment of the invention
  • FIG. 2 illustrates a TCP validation method according to an embodiment of the invention
  • FIG. 3 illustrates a TCP validation method according to another embodiment of the invention.
  • FIGS. 1-3 wherein like reference numerals refer to like elements.
  • the present invention may be implemented as software residing and executing on one or more computers, i.e., apparatuses.
  • the apparatus or set of apparatuses receive network traffic and generate control messages to dictate the flow of particular traffic.
  • the network traffic that is passed through an apparatus consists of all network traffic that is desired to be securely managed. This can include network all network traffic or a particular subset off network traffic such as network traffic destined to a particular subsection of the network. Network traffic can originate in any point of presence that the service provider or content provider resides.
  • the apparatus itself also controls the flow of traffic to limit, restrict, or allow such traffic communication based on the control logic described herein.
  • FIG. 1 illustrates a communication system according to an embodiment of the invention.
  • the communication system comprises a client 101 , an apparatus 102 implementing logic as described herein, a router 103 , and a server 104 .
  • client 101 , router 103 , and server 104 are readily apparent to one of ordinary skill in the art.
  • FIG. 2 illustrates a TCP validation method according to an embodiment of the invention.
  • a packet originates and is intercepted by apparatus 102 at step 200 .
  • the packet originates from client 101 , which transmits a TCP SYN packet 105 to server 104 , intercepted by apparatus 102 .
  • a session state is either conceived for the packet and inserted into a hash table, or is retrieved from the existing state session in the hash table.
  • This session state is based on a hash entry for the source IP address, source port, destination IP address, and destination port of the packet.
  • the session state determines the current state of the session and can be of type “OPEN1”, “OPEN2”, “EST”, or “BLACKLIST”.
  • the apparatus 102 ignores further processing on the packet at step 202 .
  • This hash can be accessed again at any point to retrieve data regarding the session.
  • An applicable and configurable timeout is applied to this session in step 201 based on the environmental needs and requirements this methodology or apparatus is deployed in, often about 24 hours, at which point if communication has not taken place for specified time, the session is expired to free up memory resources.
  • This session timeout functionality can be implemented at step 201 where the system checks for the existence of the packet in an existing session. If the timeout period has expired, the function would not return an existing hash entry.
  • the hash algorithm usable for this invention is any type of available hash algorithm, the identification and implementation of which is apparent to one of ordinary skill in the art.
  • Example hash algorithms can be found at en.wikipedia.org/wiki/Hash_function.
  • a usable hash function is ‘perfect hashing’.
  • the hashing function needs to be able to locate a record with certainty.
  • the hashing function needs to support the hash table identifiers source IP, source port, destination IP, and destination port.
  • the hash function needs to support an additional field to maintain timeout.
  • Apparatus 102 processes the packet at steps 200 , 201 , and 202 . If the state of the session is Other 206 , and if the SYN count is equal to one at step 207 , apparatus 102 sets state to “OPEN1” and ignores any further processing on the packet 215 . If the state of the session is Other 206 and if SYN count is equal to 2 or 3 at step 209 , the state is set to OPEN2 and the packet is replicated to the end server 104 via SYN commands 106 and 107 . If the SYN count is greater than 3 at step 208 , the state is set to blacklist and further processing is ignored.
  • the server 104 responds with a TCP SYNACK packet 108 to the client 101 .
  • the client 101 transmits a TCP ACK packet 109 that is intercepted by apparatus 102 .
  • apparatus 102 processes the packet type. If the packet is not a SYN packet, the apparatus 102 determines the state at step 205 . If the packet is of state NONE or OPEN1 210 , the packet is ignored. If the packet is of state EST or OPEN2 211 , the apparatus 102 sets state to EST and replicates the packet at packets 109 , 110 , and 212 . No further processing is necessary at this point as necessary TCP packets have been replicated for effective communication. This design encompasses all TCP packets.
  • apparatus 102 resides on a network, capable of receiving and transmitting network communication traffic, while this device, or another device, prevents the standard flow of this communication traffic between the client 101 and the server 104 .
  • apparatus 102 serves as a transparent device manipulating the migration of data packets from one portion of a network to another in the interest of providing network security for a plurality of systems on said network.
  • apparatus 102 is replicated into a multi-location mitigation system such as a global mitigation system.
  • a multi-location mitigation system such as a global mitigation system.
  • Each node performs the necessary functionality to provide protection to a large subset of end servers.
  • apparatus 102 is a module on a computer system that performs these tasks to mitigate attempted denial of service against that single computer system to protect its resources.
  • a spoofed attack is an Internet flood where a plurality of systems generate an attack wherein the source IP address of the attack is malformed such that the address does not belong to the specific system generating the attack.
  • a system can generate spoofed packets at a high data rate as the response to the generated packets do not reach the system. This is because the source IP addresses that the attacking system is utilizing for the attack do not belong to it.
  • the responses, as generated by the remote systems arrive at other systems across the Internet. This behavior is prevalent in many attacks currently taking place on the Internet. Many intermediary network devices managed by network operators do not inhibit this form of traffic.
  • a socket is created based on some identifying information, often utilizing the source IP address, source port, destination IP address, and destination port. This socket is unique to the connection with these identifying characteristics, or other similar identifying characteristics.
  • a socket utilizes system resources such as memory and processing power.
  • a plurality of systems transmit, at a sufficient data rate, transmit TCP SYN packets with spoofed source IP addresses against a target remote server, often with the intent to create a denial of service condition.
  • the remote system receives these SYN packets, it opens a socket by allocating memory and resources to accept the packet, and attempts to respond to them with a TCP SYNACK to proceed with TCP 3 way handshake.
  • the remote system does not time these sockets out for some predetermined time based on the operating system and the administrative settings, often about 30 seconds.
  • the system generating the attacks does not see the TCP SYNACK response. It simply continues sending TCP SYN packets to the remote server until the remote server is incapable of processing additional TCP SYN packets as all its resources have been exhausted.
  • this methodology prevents this condition by blocking the first TCP SYN packet.
  • this first TCP SYN packet is blocked, because all further packets are different, the attack no longer impacts the receiving system because the receiving system never sees these TCP SYN packets. The attack has been mitigated.
  • TCP SYN flood a plurality of systems transmit, at a sufficient data rate, TCP SYN packets against a target remote server, often with the intent to create a denial of service condition.
  • the source IP addresses of these systems are their real IP addresses.
  • the total capacity of the attack is directly correlated with the number of systems under the control of the attacker.
  • this methodology prevents this condition by blocking the first TCP SYN packet, fourth TCP packet, and consecutive TCP packets after that.
  • the methodology sets the session state for these packets to OPEN1, then replicates these packets to the end system.
  • the end system responds with a TCP SYNACK to the attacking system.
  • the attacking system ignores these as it is not actually intending to open a TCP connection with the target system. It continues sending TCP SYN packets, at which point the methodology sets the state to BLACKLIST because the SYN count exceeds 3. Once in blacklist, no further processing is performed on any other received TCP SYN packets. The attack has been mitigated.
  • FIG. 3 illustrates a TCP validation method according to another embodiment of the invention.
  • the difference in this environment begins at steps 201 ( d ), 201 ( e ) and 201 ( f ).
  • the system upon detection of an egress packet sets the state to EST. If an egress packet is not detected, the state is never set to EST and communication does not continue.
  • we check for state and if the state is EST 211 , we replicate the packet. By doing this, the apparatus makes sure that the server wants to communicate with the client. If the server has some local security policy to reject the client, this apparatus or methodology will honor this by virtue of design and not validate the client.
  • An advantage of the embodiment of FIG. 3 is that monitors egress traffic from the server 104 so as to verify that the server is in fact validating the connection.

Abstract

The present invention provides a technique for validating TCP communication between a client requesting resources and a server providing requested resources to protect the specified server from a denial of service attack wherein a plurality of clients initiate communication with a server, but do not complete the communication for the purpose of denying service to the server from other legitimate clients. Through systematic transmission regulation of TCP packets, an intermediary apparatus or set of apparatuses, can, to a high degree of certainty, validate client connections to protect the server from this saturated condition. The communication is then reproduced by the apparatus or apparatuses.

Description

    BACKGROUND OF THE INVENTION
  • 1. Field of Invention
  • The invention relates generally to data network communications and more particularly to a technique for validating transmission control protocol (TCP) communication between a client requesting resources and a server providing requested resources to protect the specified server from a distributed denial of service (DDoS) attack.
  • 2. Description of Related Art
  • In a traditional TCP 3-way handshake, the implementation of which is apparent to one of ordinary skill in the art, an initial packet with a TCP bit flag SYN is generated from a client to a server. A plurality of intermediary routing and switching devices assure the delivery of the data packet from the client to the server, and vice versa. The server generates a response packet with the TCP bit flags SYN and ACK set. The client then responds with a TCP ACK packet, establishing a completed TCP session.
  • Upon generation of the initial TCP SYN packet from the client, the server reserves and allocates a predetermined quantity of system resources, including processor, ram, and/or disk for the facilitation of this connection. The server maintains these resources for a predetermined period of time often as long as several minutes. As computer systems have limited resources, an attacker can take advantage of this situation by generating a large quantity of SYN packets to the server, exhausting all system resources. The server will then become unresponsive to legitimate client requests, thus denying service to legitimate clients. This is one embodiment of a “denial of service” attack. Generally, prior art systems “detect” denial of service conditions, but fail to actually mitigate this undesirable situation.
  • United States Patent Application Publication No. 2003/0226032 to Robert, the disclosure of which is incorporated by reference herein in its entirety, describes a mechanism for detecting denial of service attacks. A probabilistically determined portion of input packets of a connection are processed using a hash function to determine whether the packets belong to the flow initiated by a TCP SYN packet. A drawback of Robert is that it is dependent on the server handling traffic in advance of the flow detection. Once the server has been overloaded, the denial of service condition has been met.
  • U.S. Pat. No. 7,921,462 to Rooney et al. (“Rooney”), the disclosure of which is incorporated by reference herein in its entirety, describes a technique for detecting DDoS attacks within the Internet by sampling packets at a point or points in Internet backbone connections to determine a packet metric parameter. The packet metric parameter which might comprise the volume of packets received is analyzed over selected time intervals with respect to specified geographical locations in which the hosts transmitting the packets are located. The expected behavior can be employed to identify traffic distortions revealing a DDoS attack. A drawback of Rooney is that it is unable to prevent a “syn flood” attack as no single packet will meet the thresholds set.
  • United States Patent Application Publication No. 2002/0120853 to Tyree, the disclosure of which is incorporated by reference herein in its entirety, describes scripted distributed denial-of-service (DDoS) attack discrimination using turing, i.e., intelligence, tests. A drawback of Tyree is that it cannot be automatically implemented on systems where background communication is necessary, such as simple mail transport protocol (SMTP), and is not plausible in today's Internet topology. Moreover, turing tests are cumbersome for users.
  • United States Patent Application Publication No. 2004/0008681 to Govindaraj an et al. (“Govindaraj an”), the disclosure of which is incorporated by reference herein in its entirety, describes a technique for delaying allocation of resources until after the TCP three-way handshake is successfully completed. A drawback of Govindarajan is that implementation in an apparatus is complicated and performance scalability is difficult to achieve in asymmetric networks.
  • United States Patent Application Publication No. 2002/0103916 to Chen et al. (“Chen”), the disclosure of which is incorporated by reference herein in its entirety, describes architecture for thwarting denial of service attacks on a victim data center. The system includes a first plurality of monitors that monitor network traffic flow through the network. A central controller receives data from the plurality of monitors, over a hardened, redundant network. A drawback of Chen is that it cannot protect against “spoofed” attacks.
    • SUMMARY OF THE INVENTION
  • The present invention overcomes these and other deficiencies of the prior art by utilizing a simplistic approach that takes advantage of the inherent design philosophy of transmission control protocol (TCP). In TCP communication, an initiating connection is performed by a TCP packet with the SYN bit flag set. When the initial SYN packet is ignored by the receiving server, the client retransmits further SYN packets. The client, depending on the operating system configuration, can transmit several SYN packets. By blocking the transmission of this packet at an intermediary apparatus, storing the information, and awaiting for a second or third TCP SYN packet, the client is validated with a high degree of certainty to be legitimate. Conversely, if too many TCP SYN packets are received by the client or intermediary apparatus, the present invention will know, with a high degree of certainty, that the requesting client is illegitimate and can be blocked.
  • The present invention solves the problem of a denial of service condition by validating the legitimate authenticity of connections, and is extremely simple to implement in a software system on an apparatus in a network environment. Thus, the apparatus can achieve high performance with relative ease of implementation. The software system can also be replicated into a global network utilizing a state session sharing mechanism.
  • In an embodiment of the invention, a method for validating transmission control protocol (TCP) packets during a communications session comprises the steps of: intercepting a TCP packet; checking a hash table to determine if a hash entry exists for the intercepted TCP packet, if no hash entry exists in the hash table for the intercepted TCP packet then generating a hash entry for the intercepted TCP packet by hashing a source IP address, a source port, a destination IP address, and a destination port associated with the intercepted TCP packet, and storing a session state associated with the intercepted TCP packet in the hash table as NONE, if a hash entry exists in the hash table for the intercepted TCP packet then retrieving the session state associated with the intercepted TCP packet; determining if the session state is designated as blacklisted, if the session state is designated as blacklisted then discarding the intercepted TCP packet, if the session state is not designated as blacklisted then identifying a TCP packet flag associated with the intercepted TCP packet, if the TCP packet flag is identified as SYN then determining if the session state is designated as established, if the session state is designated as established then replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server, if the session state is not designated as established then determining a SYN count associated with the intercepted TCP packet, if the determined SYN count is equal to one then storing the session state associated with the intercepted TCP packet in the hash table as OPEN1 and discarding the intercepted TCP packet, if the determined SYN count is equal to two or three then storing the session state associated with the intercepted TCP packet in the hash table as OPEN2 and replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server, if the determined SYN count is equal to three or more then storing the session state associated with the intercepted TCP packet in the hash table as blacklisted and discarding the intercepted TCP packet, if the TCP packet flag is not identified as SYN then determining if the session state is designated as established, OPEN1, OPEN2, or NONE, if the determined session state associated with the intercepted TCP packet is NONE or OPEN1 then discarding the intercepted TCP packet, if the determined session state associated with the intercepted TCP packet is established or OPEN2 then replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server. The method further comprising applying a predetermined timeout to the communications session, wherein if communication has not taken place during the predetermined timeout, the session is expired.
  • An advantage of the present invention is its simplicity of implementation. As the present invention does not necessitate the interception of egress traffic, it can be implemented with relative ease. Network asymmetric is no longer a problem because of this.
  • Another advantage is that it provides a very high level of security against invalid client connections. In testing, a significant portion of attacks utilize methods, procedures, patterns, and fingerprints that are thwarted by the present invention.
  • Another advantage of the present invention is the versatility of the hash function. Utilizing different hash functions, different advantages based on the advantages the different hash functions provide. Some hash functions provide advantages for disparate sets, while others provide advantages for similar sets. The purpose of the hash function can dictate the application of the present invention.
  • Another advantage is that the memory footprint required by the present invention is fairly low as not much information is stored on each state session. The total state session information saved is 32 bits for source address, 32 bits for destination address, 16 bits for source port address, 16 bits for destination port address, 8 bits for a state identifier, and 8 bits for a SYN counter.
  • The foregoing, and other features and advantages of the invention, will be apparent from the following, more particular description of the preferred embodiments of the invention, the accompanying drawings, and the claims.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • For a more complete understanding of the present invention, and the advantages thereof, reference is now made to the ensuing descriptions taken in connection with the accompanying drawings briefly described as follows:
  • FIG. 1 illustrates a communication system according to an embodiment of the invention;
  • FIG. 2 illustrates a TCP validation method according to an embodiment of the invention; and
  • FIG. 3 illustrates a TCP validation method according to another embodiment of the invention.
    •  DETAILED DESCRIPTION OF EMBODIMENTS
  • Further features and advantages of the invention, as well as the structure and operation of various embodiments of the invention, are described in detail below with reference to the accompanying FIGS. 1-3, wherein like reference numerals refer to like elements.
  • The present invention may be implemented as software residing and executing on one or more computers, i.e., apparatuses. The apparatus or set of apparatuses receive network traffic and generate control messages to dictate the flow of particular traffic. The network traffic that is passed through an apparatus consists of all network traffic that is desired to be securely managed. This can include network all network traffic or a particular subset off network traffic such as network traffic destined to a particular subsection of the network. Network traffic can originate in any point of presence that the service provider or content provider resides. The apparatus itself also controls the flow of traffic to limit, restrict, or allow such traffic communication based on the control logic described herein.
  • FIG. 1 illustrates a communication system according to an embodiment of the invention. The communication system comprises a client 101, an apparatus 102 implementing logic as described herein, a router 103, and a server 104. The implementation of client 101, router 103, and server 104 is readily apparent to one of ordinary skill in the art.
  • FIG. 2 illustrates a TCP validation method according to an embodiment of the invention. In operation, a packet originates and is intercepted by apparatus 102 at step 200. The packet originates from client 101, which transmits a TCP SYN packet 105 to server 104, intercepted by apparatus 102. At step 201, a session state is either conceived for the packet and inserted into a hash table, or is retrieved from the existing state session in the hash table. This session state is based on a hash entry for the source IP address, source port, destination IP address, and destination port of the packet. The session state determines the current state of the session and can be of type “OPEN1”, “OPEN2”, “EST”, or “BLACKLIST”. If the state of the session is blacklisted, the apparatus 102 ignores further processing on the packet at step 202. This hash can be accessed again at any point to retrieve data regarding the session. An applicable and configurable timeout is applied to this session in step 201 based on the environmental needs and requirements this methodology or apparatus is deployed in, often about 24 hours, at which point if communication has not taken place for specified time, the session is expired to free up memory resources. This session timeout functionality can be implemented at step 201 where the system checks for the existence of the packet in an existing session. If the timeout period has expired, the function would not return an existing hash entry. The hash algorithm usable for this invention is any type of available hash algorithm, the identification and implementation of which is apparent to one of ordinary skill in the art. No specific algorithm is necessary for proper functionality. Example hash algorithms can be found at en.wikipedia.org/wiki/Hash_function. A usable hash function is ‘perfect hashing’. The hashing function needs to be able to locate a record with certainty. The hashing function needs to support the hash table identifiers source IP, source port, destination IP, and destination port. The hash function needs to support an additional field to maintain timeout.
  • Apparatus 102 processes the packet at steps 200, 201, and 202. If the state of the session is Other 206, and if the SYN count is equal to one at step 207, apparatus 102 sets state to “OPEN1” and ignores any further processing on the packet 215. If the state of the session is Other 206 and if SYN count is equal to 2 or 3 at step 209, the state is set to OPEN2 and the packet is replicated to the end server 104 via SYN commands 106 and 107. If the SYN count is greater than 3 at step 208, the state is set to blacklist and further processing is ignored.
  • The server 104 responds with a TCP SYNACK packet 108 to the client 101. The client 101 transmits a TCP ACK packet 109 that is intercepted by apparatus 102. If the state is blacklist at step 202, ignore further processing of the packet. If the state is not blacklist at step 203, apparatus 102 processes the packet type. If the packet is not a SYN packet, the apparatus 102 determines the state at step 205. If the packet is of state NONE or OPEN1 210, the packet is ignored. If the packet is of state EST or OPEN2 211, the apparatus 102 sets state to EST and replicates the packet at packets 109, 110, and 212. No further processing is necessary at this point as necessary TCP packets have been replicated for effective communication. This design encompasses all TCP packets.
  • In an embodiment of the invention, apparatus 102 resides on a network, capable of receiving and transmitting network communication traffic, while this device, or another device, prevents the standard flow of this communication traffic between the client 101 and the server 104. Thus, apparatus 102 serves as a transparent device manipulating the migration of data packets from one portion of a network to another in the interest of providing network security for a plurality of systems on said network.
  • In another embodiment of the invention, apparatus 102 is replicated into a multi-location mitigation system such as a global mitigation system. Each node performs the necessary functionality to provide protection to a large subset of end servers.
  • In another embodiment of the invention, apparatus 102 is a module on a computer system that performs these tasks to mitigate attempted denial of service against that single computer system to protect its resources.
  • A spoofed attack is an Internet flood where a plurality of systems generate an attack wherein the source IP address of the attack is malformed such that the address does not belong to the specific system generating the attack. A system can generate spoofed packets at a high data rate as the response to the generated packets do not reach the system. This is because the source IP addresses that the attacking system is utilizing for the attack do not belong to it. Thus, the responses, as generated by the remote systems arrive at other systems across the Internet. This behavior is prevalent in many attacks currently taking place on the Internet. Many intermediary network devices managed by network operators do not inhibit this form of traffic.
  • When a TCP SYN packet is received by a system, a socket is created based on some identifying information, often utilizing the source IP address, source port, destination IP address, and destination port. This socket is unique to the connection with these identifying characteristics, or other similar identifying characteristics. A socket utilizes system resources such as memory and processing power.
  • During a spoofed TCP SYN flood, a plurality of systems transmit, at a sufficient data rate, transmit TCP SYN packets with spoofed source IP addresses against a target remote server, often with the intent to create a denial of service condition. When the remote system receives these SYN packets, it opens a socket by allocating memory and resources to accept the packet, and attempts to respond to them with a TCP SYNACK to proceed with TCP 3 way handshake. The remote system does not time these sockets out for some predetermined time based on the operating system and the administrative settings, often about 30 seconds. The system generating the attacks does not see the TCP SYNACK response. It simply continues sending TCP SYN packets to the remote server until the remote server is incapable of processing additional TCP SYN packets as all its resources have been exhausted.
  • In FIG. 2, this methodology prevents this condition by blocking the first TCP SYN packet. When this first TCP SYN packet is blocked, because all further packets are different, the attack no longer impacts the receiving system because the receiving system never sees these TCP SYN packets. The attack has been mitigated.
  • During a standard TCP SYN flood, a plurality of systems transmit, at a sufficient data rate, TCP SYN packets against a target remote server, often with the intent to create a denial of service condition. The source IP addresses of these systems are their real IP addresses. Thus, the total capacity of the attack is directly correlated with the number of systems under the control of the attacker.
  • In FIG. 2, this methodology prevents this condition by blocking the first TCP SYN packet, fourth TCP packet, and consecutive TCP packets after that. When the attacking system generates the second and third TCP SYN packets, the methodology sets the session state for these packets to OPEN1, then replicates these packets to the end system. The end system responds with a TCP SYNACK to the attacking system. The attacking system ignores these as it is not actually intending to open a TCP connection with the target system. It continues sending TCP SYN packets, at which point the methodology sets the state to BLACKLIST because the SYN count exceeds 3. Once in blacklist, no further processing is performed on any other received TCP SYN packets. The attack has been mitigated.
  • FIG. 3 illustrates a TCP validation method according to another embodiment of the invention. The difference in this environment begins at steps 201(d), 201(e) and 201(f). The system, upon detection of an egress packet sets the state to EST. If an egress packet is not detected, the state is never set to EST and communication does not continue. As we can see in 205, we check for state, and if the state is EST 211, we replicate the packet. By doing this, the apparatus makes sure that the server wants to communicate with the client. If the server has some local security policy to reject the client, this apparatus or methodology will honor this by virtue of design and not validate the client.
  • An advantage of the embodiment of FIG. 3 is that monitors egress traffic from the server 104 so as to verify that the server is in fact validating the connection.
  • The invention has been described herein using specific embodiments for the purposes of illustration only. It will be readily apparent to one of ordinary skill in the art, however, that the principles of the invention can be embodied in other ways. Therefore, the invention should not be regarded as being limited in scope to the specific embodiments disclosed herein, but instead as being fully commensurate in scope with the following claims.

Claims (4)

What is claimed is:
1. A method for validating transmission control protocol (TCP) packets during a communications session, the entire method implemented on a computer processor and comprising the steps of:
intercepting a TCP packet;
checking a hash table to determine if a hash entry exists for the intercepted TCP packet, if no hash entry exists in the hash table for the intercepted TCP packet then
generating a hash entry for the intercepted TCP packet by hashing a source IP address, a source port, a destination IP address, and a destination port associated with the intercepted TCP packet, and
storing a session state associated with the intercepted TCP packet in the hash table as NONE,
if a hash entry exists in the hash table for the intercepted TCP packet then
retrieving the session state associated with the intercepted TCP packet;
determining if the session state is designated as blacklisted, if the session state is designated as blacklisted then discarding the intercepted TCP packet, if the session state is not designated as blacklisted then
identifying a TCP packet flag associated with the intercepted TCP packet, if the TCP packet flag is identified as SYN then
determining if the session state is designated as established, if the session state is designated as established then replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server, if the session state is not designated as established then
determining a SYN count associated with the intercepted TCP packet, if the determined SYN count is equal to one then storing the session state associated with the intercepted TCP packet in the hash table as OPEN1 and discarding the intercepted TCP packet, if the determined SYN count is equal to two or three then storing the session state associated with the intercepted TCP packet in the hash table as OPEN2 and replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server, if the determined SYN count is greater than three then storing the session state associated with the intercepted TCP packet in the hash table as blacklisted and discarding the intercepted TCP packet,
if the TCP packet flag is not identified as SYN then
determining if the session state is designated as established, OPEN1, OPEN2, or NONE, if the determined session state associated with the intercepted TCP packet is NONE or OPEN1 then discarding the intercepted TCP packet, if the determined session state associated with the intercepted TCP packet is established or OPEN2 then storing the session state associated with the intercepted TCP packet in the hash table as established and replicating the intercepted TCP packet and forwarding the replicated intercepted TCP packet to a server.
2. The method of claim 1, wherein the TCP packet is a TCP packet with any TCP bit flag set, such as ACK, RST, FIN, URG, PUSH, or SYN.
3. The method of claim 1, wherein the session state session state determines the current state of a communications session and can be of type “OPEN1”, “OPEN2”, “EST”, or “BLACKLIST”.
4. The method of claim 1, further comprising applying a predetermined timeout to the communications session, wherein if communication has not taken place during the predetermined timeout, the session is expired.
US13/838,274 2013-03-15 2013-03-15 TCP validation via systematic transmission regulation and regeneration Active 2033-11-16 US8978138B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/838,274 US8978138B2 (en) 2013-03-15 2013-03-15 TCP validation via systematic transmission regulation and regeneration

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/838,274 US8978138B2 (en) 2013-03-15 2013-03-15 TCP validation via systematic transmission regulation and regeneration

Publications (2)

Publication Number Publication Date
US20140283057A1 true US20140283057A1 (en) 2014-09-18
US8978138B2 US8978138B2 (en) 2015-03-10

Family

ID=51535107

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/838,274 Active 2033-11-16 US8978138B2 (en) 2013-03-15 2013-03-15 TCP validation via systematic transmission regulation and regeneration

Country Status (1)

Country Link
US (1) US8978138B2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160134646A1 (en) * 2014-11-06 2016-05-12 Cisco Technology, Inc. Method and apparatus for detecting malicious software using handshake information
CN108683678A (en) * 2018-05-28 2018-10-19 北京天地和兴科技有限公司 A kind of abnormal behaviour prediction technique of Behavior-based control cooperative awareness model
EP3361693A4 (en) * 2015-11-24 2018-10-31 Wangsu Science & Technology Co., Ltd. Tcp connection processing method, device and system
CN110138678A (en) * 2018-02-08 2019-08-16 华为技术有限公司 Data transfer control method and device and web-transporting device and storage medium
KR102015735B1 (en) * 2018-12-28 2019-08-28 주식회사 모파스 Communication method and apparatus of peer for peer to peer(p2p) handshaking control
US10812525B2 (en) * 2015-12-30 2020-10-20 NSFOCUS Information Technology Co., Ltd. Method and system for defending distributed denial of service attack

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9197362B2 (en) * 2013-03-15 2015-11-24 Mehdi Mahvi Global state synchronization for securely managed asymmetric network communication

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104717A (en) * 1995-11-03 2000-08-15 Cisco Technology, Inc. System and method for providing backup machines for implementing multiple IP addresses on multiple ports
US6725378B1 (en) * 1998-04-15 2004-04-20 Purdue Research Foundation Network protection for denial of service attacks
US20070044142A1 (en) * 2005-08-19 2007-02-22 Yoon Seung Y Apparatus and method for managing session state
US7464410B1 (en) * 2001-08-30 2008-12-09 At&T Corp. Protection against flooding of a server
US20120117646A1 (en) * 2010-11-04 2012-05-10 Electronics And Telecommunications Research Institute Transmission control protocol flooding attack prevention method and apparatus

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2001253613A1 (en) 2000-04-17 2001-10-30 Circadence Corporation System and method for shifting functionality between multiple web servers
US7043759B2 (en) 2000-09-07 2006-05-09 Mazu Networks, Inc. Architecture to thwart denial of service attacks
US7398317B2 (en) 2000-09-07 2008-07-08 Mazu Networks, Inc. Thwarting connection-based denial of service attacks
US20020032871A1 (en) 2000-09-08 2002-03-14 The Regents Of The University Of Michigan Method and system for detecting, tracking and blocking denial of service attacks over a computer network
US7707305B2 (en) 2000-10-17 2010-04-27 Cisco Technology, Inc. Methods and apparatus for protecting against overload conditions on nodes of a distributed network
US7301899B2 (en) 2001-01-31 2007-11-27 Comverse Ltd. Prevention of bandwidth congestion in a denial of service or other internet-based attack
US20020120853A1 (en) 2001-02-27 2002-08-29 Networks Associates Technology, Inc. Scripted distributed denial-of-service (DDoS) attack discrimination using turing tests
US7028179B2 (en) 2001-07-03 2006-04-11 Intel Corporation Apparatus and method for secure, automated response to distributed denial of service attacks
US7657934B2 (en) 2002-01-31 2010-02-02 Riverbed Technology, Inc. Architecture to thwart denial of service attacks
US7743415B2 (en) 2002-01-31 2010-06-22 Riverbed Technology, Inc. Denial of service attacks characterization
US7373663B2 (en) 2002-05-31 2008-05-13 Alcatel Canada Inc. Secret hashing for TCP SYN/FIN correspondence
US7519991B2 (en) 2002-06-19 2009-04-14 Alcatel-Lucent Usa Inc. Method and apparatus for incrementally deploying ingress filtering on the internet
US7254133B2 (en) 2002-07-15 2007-08-07 Intel Corporation Prevention of denial of service attacks
CN100370757C (en) 2004-07-09 2008-02-20 国际商业机器公司 Method and system for dentifying a distributed denial of service (DDOS) attack within a network and defending against such an attack
US7478429B2 (en) 2004-10-01 2009-01-13 Prolexic Technologies, Inc. Network overload detection and mitigation system and method
US8346960B2 (en) 2005-02-15 2013-01-01 At&T Intellectual Property Ii, L.P. Systems, methods, and devices for defending a network
US8089871B2 (en) 2005-03-25 2012-01-03 At&T Intellectual Property Ii, L.P. Method and apparatus for traffic control of dynamic denial of service attacks within a communications network
US7797738B1 (en) 2005-12-14 2010-09-14 At&T Corp. System and method for avoiding and mitigating a DDoS attack
US8225399B1 (en) 2005-12-14 2012-07-17 At&T Intellectual Property Ii, Lp System and method for avoiding and mitigating a DDoS attack
US8370937B2 (en) 2007-12-03 2013-02-05 Cisco Technology, Inc. Handling of DDoS attacks from NAT or proxy devices
CN101588246B (en) 2008-05-23 2012-01-04 成都市华为赛门铁克科技有限公司 Method, network equipment and network system for defending distributed denial service DDoS attack
KR100908404B1 (en) 2008-09-04 2009-07-20 (주)이스트소프트 System and method for protecting from distributed denial of service
KR20130017333A (en) 2011-08-10 2013-02-20 한국전자통신연구원 Attack decision system of slow distributed denial of service based application layer and method of the same

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6104717A (en) * 1995-11-03 2000-08-15 Cisco Technology, Inc. System and method for providing backup machines for implementing multiple IP addresses on multiple ports
US6725378B1 (en) * 1998-04-15 2004-04-20 Purdue Research Foundation Network protection for denial of service attacks
US7464410B1 (en) * 2001-08-30 2008-12-09 At&T Corp. Protection against flooding of a server
US20070044142A1 (en) * 2005-08-19 2007-02-22 Yoon Seung Y Apparatus and method for managing session state
US20120117646A1 (en) * 2010-11-04 2012-05-10 Electronics And Telecommunications Research Institute Transmission control protocol flooding attack prevention method and apparatus

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160134646A1 (en) * 2014-11-06 2016-05-12 Cisco Technology, Inc. Method and apparatus for detecting malicious software using handshake information
US9854000B2 (en) * 2014-11-06 2017-12-26 Cisco Technology, Inc. Method and apparatus for detecting malicious software using handshake information
EP3361693A4 (en) * 2015-11-24 2018-10-31 Wangsu Science & Technology Co., Ltd. Tcp connection processing method, device and system
US10812525B2 (en) * 2015-12-30 2020-10-20 NSFOCUS Information Technology Co., Ltd. Method and system for defending distributed denial of service attack
CN110138678A (en) * 2018-02-08 2019-08-16 华为技术有限公司 Data transfer control method and device and web-transporting device and storage medium
CN108683678A (en) * 2018-05-28 2018-10-19 北京天地和兴科技有限公司 A kind of abnormal behaviour prediction technique of Behavior-based control cooperative awareness model
KR102015735B1 (en) * 2018-12-28 2019-08-28 주식회사 모파스 Communication method and apparatus of peer for peer to peer(p2p) handshaking control

Also Published As

Publication number Publication date
US8978138B2 (en) 2015-03-10

Similar Documents

Publication Publication Date Title
US11924170B2 (en) Methods and systems for API deception environment and API traffic control and security
Mohammadi et al. Slicots: An sdn-based lightweight countermeasure for tcp syn flooding attacks
US8978138B2 (en) TCP validation via systematic transmission regulation and regeneration
Dayal et al. Research trends in security and DDoS in SDN
Qian et al. Off-path TCP sequence number inference attack-how firewall middleboxes reduce security
Handley et al. Internet denial-of-service considerations
US9633202B2 (en) Managing a DDoS attack
US8819821B2 (en) Proactive test-based differentiation method and system to mitigate low rate DoS attacks
US7730536B2 (en) Security perimeters
US8584236B2 (en) Method and apparatus for detecting abnormal traffic in a network
Moustis et al. Evaluating security controls against HTTP-based DDoS attacks
Karig et al. Remote denial of service attacks and countermeasures
KR101042291B1 (en) System and method for detecting and blocking to distributed denial of service attack
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
Jeyanthi et al. Packet resonance strategy: a spoof attack detection and prevention mechanism in cloud computing environment
US9686311B2 (en) Interdicting undesired service
US20230208874A1 (en) Systems and methods for suppressing denial of service attacks
Devi et al. Cloud-based DDoS attack detection and defence system using statistical approach
Kavisankar et al. CNoA: Challenging Number Approach for uncovering TCP SYN flooding using SYN spoofing attack
US10182071B2 (en) Probabilistic tracking of host characteristics
Bojjagani et al. Early DDoS Detection and Prevention with Traced-Back Blocking in SDN Environment.
US20230396648A1 (en) Detecting ddos attacks by correlating inbound and outbound network traffic information
KR102027440B1 (en) Apparatus and method for blocking ddos attack
Ubale et al. Survey on DDoS Attack Techniques and Solutions in Software-Defined
Guha et al. ShutUp: End-to-end containment of unwanted traffic

Legal Events

Date Code Title Description
STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2551); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YR, SMALL ENTITY (ORIGINAL EVENT CODE: M2552); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

Year of fee payment: 8